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Abstract —In this paper, we describe several practically ex¬ 
ploitable fault attacks against OpenSSL’s implementation of 
elliptic curve cryptography, related to the singular curve point 
decompression attacks of Blomer and Gunther (FDTC2015) and 
the degenerate curve attacks of Neves and Tibouchi (PKC 2016). 

In particular, we show that OpenSSL allows to construct EC 
key files containing explicit curve parameters with a compressed 
base point. A simple single fault injection upon loading such a 
file yields a full key recovery attack when the key file is used for 
signing with ECDSA, and a complete recovery of the plaintext 
when the file is used for encryption using an algorithm like 
ECIES. The attack is especially devastating against curves with 
j-invariant equal to 0 such as the Bitcoin curve secp256kl, for 
which key recovery reduces to a single division in the base field. 

Additionally, we apply the present fault attack technique to 
OpenSSL’s implementation of ECDH, by combining it with Neves 
and Tibouchi’s degenerate curve attack. This version of the 
attack applies to usual named curve parameters with nonzero 
j-invariant, such as P192 and P256. Although it is typically more 
computationally expensive than the one against signatures and 
encryption, and requires multiple faulty outputs from the server, 
it can recover the entire static secret key of the server even in 
the presence of point validation. 

These various attacks can be mounted with only a single 
instruction skipping fault, and therefore can be easily injected 
using low-cost voltage glitches on embedded devices. We validated 
them in practice using concrete fault injection experiments on 
a Rapsberry Pi single board computer running the up to date 
OpenSSL command line tools—a setting where the threat of fault 
attacks is quite significant. 

Index Terms —OpenSSL, Invalid curve attack, Fault attack, 
Embedded security, Singular curve, Supersingular curve 

I. Introduction 

A. Physical Attacks against Cryptographic Devices 

As the number of devices holding sensitive information is 
on the rise, it is essential to actively research and develop 
cryptographic schemes that remain secure even when deployed 
in real life conditions; more concretely, we have to take into 
account the existence of physical attacks against the devices 
that execute cryptographic algorithms. Physical attacks are 
very powerful tools that allow adversaries to deviate from 
traditional security models and ultimately bypass computation¬ 
ally hard problems. One can roughly classify physical attacks 
into two types. The first one, side-channel analysis , consists of 
passive attacks that attempt to recover secret information from 
the physical leakage of cryptographic computations, such as 
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the time it takes to carry out certain operations, or the power 
consumption of the device as the computation is performed. 
The second one, fault analysis, consists of even stronger, active 
attacks that seek to learn secrets by deliberately tampering 
with the device to cause malfunction or otherwise unexpected 
behavior, by modifying the voltage of the power source at 
carefully chosen points in time, subjecting the device to sudden 
changes of temperature, etc. [1], These types of attacks have 
been experimentally shown to be feasible in realistic settings, 
and do, in fact, affect the security of numerous cryptographic 
primitives and protocols in the real world. As the advent 
of Internet of Things (IoT) is likely to make this threat 
even more pressing, evaluating the power of physical attacks 
and proposing appropriate countermeasures before deploying 
new cryptographic schemes is crucial in preventing sensitive 
information from getting into the wrong hands. [2] 

B. Implementation Attacks against ECC 

Elliptic curve cryptography (ECC) is frequently used nowa¬ 
days because it offers relatively short key length to achieve 
good security strength. Elliptic curve-based cryptographic 
schemes typically operate in the group of rational points 
of an elliptic curve over a finite field, and their security 
relies on the hardness of the elliptic curve discrete logarithm 
(ECDLP) or related problems. Possibly the best-known such 
schemes are the Elliptic Curve Digital Signature Algorithm 
(ECDSA) [3], the Elliptic Curve Diffie-Hellman key exchange 
(ECDH) [4], and the Elliptic Curve Integrated Encryption 
Scheme (ECIES) [5]. Since ECC schemes are standardized 
and adopted in many cryptographic libraries like OpenSSL [6], 
their security against physical attacks, such as fault attacks [7], 
is of prime concern. 

Biehl et al. [8] addressed the first fault attacks against ECC, 
and various related techniques have been developed in the 
literature since. One of the most recently discovered attacks, 
which we extend in this work, is the singular curve point 
decompression (SCPD) attack by Blomer and Gunther [9], 
The idea of the SCPD attack is quite simple but its effect 
is highly destructive: if the base point of an elliptic curve 
(in short Weierstrass form) with j-invariant 0 is computed 
from the compressed form before its use in scalar multipli¬ 
cation, one can completely bypass the ECDLP by injecting 


a single instruction skipping fault, and consequently recover 
the secret scalar. The recovery technique is based on the 
fact that, after skipping a suitable instruction during point 
decompression, the perturbed decompressed base point will 
lie on a singular cubic curve of additive type; in other words, 
when carried out on that singular curve, the group operations 
correspond to a group structure isomorphic to F+, the additive 
group of the base field. Blomer and Gunther mounted the 
SCPD attack on an AVR microcontroller running the Boneh- 
Lynn-Shacham (BLS) signature scheme [10] instantiated with 
Barreto-Naehrig (BN) curves [11], and successfully recovered 
the secret key. However, that signature scheme is not nearly 
as commonly used as a standardized scheme like ECDSA. 
In addition, the simple, traditional countermeasure of point 
validation thwarts the SCPD attack and the authors had to 
inject an additional fault to eliminate it, which assumes a 
very powerful adversary and would be much harder to achieve 
against more complex targets such as Linux-based embedded 
systems. Therefore, the practical impact of the attack appeared 
limited. 

As a less invasive implementation attack than fault attacks, 
Antipa et al. [12] initiated the study of the invalid curve 
attacks. These types of attacks usually exploit careless im¬ 
plementations that do not check if the input point satisfies the 
predefined curve equation. The adversary’s basic strategy with 
invalid curve attacks can be summarized as follows: 1) pick 
some malicious point P on a weak curve E where recovering 
partial information of the secret scalar is computationally 
easy, 2) send P to the scalar multiplication algorithm, and 
3) compute partial bits of the secret scalar k by examining 
an invalid output [k]P. The original invalid curve attacks 
only targeted curves in short Weierstrass form, and were only 
applicable against the ECC schemes using point arithmetic that 
is independent of at least one of the curve parameters, which 
is not the case for some newer curve models such as high- 
profile (twisted) Edwards curves [13], However, Neves and 
Tibouchi [14] recently presented an extension of the invalid 
curve attack, which they call degenerate curve attacks, and 
showed that similar attacks can even be exploitable against 
other curve models including Edwards curves. They also 
described a Pohlig-Hellman-like technique [15] to mount 
the attack in a situation where the adversary cannot obtain 
the raw result of scalar multiplication, but can only get the 
hash of it. Though such a setting does appear in practical 
instances of ECDH, their targeted model fails to capture the 
significant property of real-world protocols: in most ECDH 
implementations, a shared secret key is not derived from the 
resulting curve point itself, but from its x-coordinate. Hence 
their approach cannot be directly applied to widely deployed 
ECDH implementations. 

C. Our Contributions 

In this paper, we identify fault attack vulnerabilities in 
OpenSSL’s elliptic curve cryptographic algorithms. Our main 
contributions can be summarized as follows: 


• As our first contribution, we present a variant of the 
SCPD attack and its direct application to OpenSSL’s 
elliptic curve-based digital signature and public key en¬ 
cryption. In particular, we show that OpenSSL allows to 
construct EC key files containing curve parameters with 
a compressed base point. A simple single fault injection 
upon loading such a file yields a full key recovery attack 
when the key file is used for signing with ECDSA, and a 
complete recovery of the plaintext when the file is used 
for encryption using SM2-ECIES. The attack is especially 
devastating against curves with /-invariant equal to 0 such 
as seep k series standardized by SECG [16], for which 
the recovery reduces to a single division in the base field. 
Our variant of the SCPD attack injects a fault into the 
parameter initialization phase of elliptic curves, while 
the original method by Blomer and Gunther targets point 
decompression algorithm itself. We stress that the present 
method strengthens the original because ours does not 
require an expensive double fault to circumvent the point 
validity check, which is a widely accepted countermea¬ 
sure against most invalid curve attacks nowadays. 

We also mention that recovering the secret scalar k in 
our setting is actually slightly more involved, because 
OpenSSL (and many other cryptographic libraries) relies 
on a scalar multiplication algorithm that first rewrites the 
scalar to fix its bit-length (as a countermeasure against 
Brumley and Tuveri’s remote timing attacks [17]), and 
as a result, the actual scalar used in the algorithm is 
congruent to k modulo n, but not equal as an integer. We 
describe a simple technique to deal with this situation. 

• Additionally, we apply the present fault attack technique 
to OpenSSL’s implementation of ECDH, by combining it 
with Neves and Tibouchi’s degenerate curve attack. The 
attack in this part targets usual named curve parameters 
with nonzero /-invariant. In an ECDH key exchange, as 
opposed to the case of ECDSA and SM2-ECIES, the raw 
result of scalar multiplication on a degenerate curve is 
usually not available to an adversary; all she could obtain 
is some ciphertext generated with a shared secret key 
derived from the resulting point, and therefore our variant 
of the SCPD attack cannot be easily exploited against 
it. To overcome this limitation, we employ a Pohlig- 
Hellman-like technique by Neves and Tibouchi. We first 
modify their ECDH model to properly capture more 
realistic protocols, and accordingly describe our version 
of Pohlig-Hellman-like attack. The attack is typically 
more computationally expensive than the one against 
signature and encryption schemes, and requires multiple 
faulty outputs from the server, but can recover the entire 
static secret key even in the presence of an EC public key 
validation function. 

• We experimentally verified that the above attacks reliably 
work in a practical situation where physical attacks would 
be of paramount concern; in particular, we make use 
of O’Flynn’s low-cost voltage glitch fault [18] to mount 


the attacks on the following three specific command line 
operations of OpenSSL when executed in widely used 
Raspberry Pi single board computer [19]: 

- ECDSA signature generation with dgst -sign com¬ 
mand, 

- SM2-ECIES encryption with pkeyutl -encrypt 
command, and 

- ECDH key exchange with pkeyutl -derive com¬ 
mand. 

To the best of our knowledge, this is the first work that 
presents experimental results on practically exploitable 
fault attacks against cryptographic algorithms executed 
in Raspberry Pi. 

Organization of the paper: The remainder of the pa¬ 
per is organized as follows. Section II summarizes relevant 
mathematical facts, cryptographic schemes, and the SCPD 
attack by Blomer and Gunther. Section III presents our fault 
injection technique against OpenSSL’s ECDSA and SM2- 
ECIES implementation as well as the experimental results 
of the attack on OpenSSL command line tools installed in 
Raspberry Pi. Section IV extends the present attack to ECDH 
key exchange in OpenSSL. We finally give concluding remarks 
in Section VI. 


II. Preliminaries 

A. Elliptic Curve Defined over Prime Fields 

Let p be a prime satisfying p > 3. A short Weierstrass form 
of an elliptic curve defined over F p is given by the following 
affine equation: 

E/¥ p : y 2 = a; 3 + Ax + B 

where the coefficient A and B are in F p . The F p -rational points 
of E, including the point at infinity O = (0 : 1 : 0), form an 
abelian group under the following operations: 


-P := ( x P ,-yp) 

P + Q ■= (A“ - xp - xq,X(xp — Xp + q ) - yp) 


A := 


vp-vq 

Xp—XQ 

3 x 2 p +A 
2yp 


if Q ^ ±P 
if Q = p 


where P = ( x P ,y P ), Q = ( x Ql y Q ) and P + Q = 
(x P+ Q,y P+ Q), respectively. 

Throughout the entire paper, we assume that the stan¬ 
dardized prime curves are defined by the following domain 
parameters D: 

V := (p, c) 


D. Related Works 

An invalid curve attack against curves in Weierstrass form 
was first developed by Antipa et al. [12], and the subse¬ 
quent works extended it to hyperelliptic curves [20], GLS 
setting [21] and twisted Edwards curves [14], Fault attack 
techniques have been occasionally exploited to force an EC 
scalar multiplication algorithm to operate on weak curves [22], 
[23], [24], [25], [9] since the seminal work of Biehl et al. [8] 

Brumley et al. [26] discovered a software bug attack on 
TLS-ECDH implementation of OpenSSL. Jager et al. [27] also 
practically applied invalid curve attacks to several real-world 
implementations of TLS-ECDH. Valenta et al. [28] recently 
performed a broad survey of ECC schemes in the wild and 
confirmed their resistance to well-known invalid curve attacks. 

Side-channel leaks from (EC)DSA in OpenSSL have been 
cryptanalyzed by a number of papers such as [29], [17], [30], 
[31], [32]. Tuveri et al. [33] recently carried out various types 
of side-channel analysis against SM2 cipher suite in the pre¬ 
release version of OpenSSL 1.1.1, and accordingly proposed 
the patchset to fix possible vulnerabilities. 

Various techniques of fault analysis and their countermea¬ 
sure are surveyed in [1], [34], and detailed analysis of clock 
or voltage glitch fault against ARM processor can be found 
in Korak and Hoefler’s work [35], Several papers such as 
Barenghi et al. [36] and Timmers et al. [37], [38] addressed 
fault analysis of general purpose CPU, though none of them 
were targeting elliptic curve cryptography. O’Flynn [18], [39] 
demonstrated that it is possible to cause malfunction in a 
simple for-loop program executed in Raspberry Pi, by injecting 
a voltage glitch fault from the Chip Whisperer side-channel and 
glitch attack evaluation board [40]. 


where P £ E( F p ) is a base point of prime order n, and c = 
#E(¥ p )/n is the curve cofactor. 

B. Singular Curve 

We now describe one of the degenerate cases of the group 
low defined in the previous subsection: the case of a singular 
curve. For more comprehensive and general treatment, see 
standard textbooks, e.g. [41] and [42], A point on a curve 
is said to be singular if the partial derivatives of the defining 
equation of E simultaneously vanish at that point. The curve 
is said to be singular if there exists at least one singular point 
on it. Now we consider the following cuspidal singular curve 
E defined by a short Weierstrass equation with A = B = 0: 

E : y 2 = x 3 

where (0,0) is the only singular point. The following fact 
plays a crucial role in the SCPD attack in Section II-G and 
our variant in Section III. 

Theorem 1. Let F+ be the additive group of F p and E{ F p ) be 
the set of nonsingular F p -rational points on E including the 
point at infinity O = (0 : 1 : 0). Then the map <f> : E( F p ) — > 
F+ with 

( x,y ) 1 t x/y 
0^0, 

is a group isomorphism between E(F p ) and F+. Its inverse 
<t >~ 1 : F+ -> E(¥ p ) is 

t^(l/t 2 ,l/t 3 ) 

0^0. 




C. Supersingular Elliptic Curve 

The other degenerate case we consider in this paper is that of 
supersingular elliptic curves, which can be defined as follows: 

Definition 1 (Supersingular curve). Let E be an elliptic curve 
defined over F p , where q is a power of the prime p. Then E 
is called supersingular when #E(F q ) = 1 (mod p). 

For q = p and p> 5, that condition is simply equivalent to 
#E(F p ) = p+1 by the Hasse bound. Our attack in Section IV 
relies on the following claim: 

Proposition 1. Suppose E' is an elliptic curve defined over 
F p and defined by the equation 

E 1 : y 2 = x 3 + Ax 


where A 0. If p = 3 mod 4, then E' is supersingular. 


Proof. We denote the quadratic residues of F p by Q1Z and 
the quadratic non-residue by QAflZ. Since p = 3 mod 4, 
— 1 = p— 1 £ QAflZ. Hence, if f(x) := x 3 +Ax £ Q1Z, then 
/(—x) = — (x 3 + Ax) = —f(x) £ QAflZ, and vice versa; in 
other words, if f(x) 7 ^ 0 then exactly one of {f(x), f{—x)} is 
in Q1Z. Let S be the set of x £ F p such that f[x) £ Q1Z and 
W be the set of roots of f(x). Because for any x £ F p \ W 
either 2 ; £ S' or — x £ S holds, we obtain 


# ((Fp \w)ns) 


#(Fp \ W) 
2 


Finally, the cardinality of F p -rational points of E' including 
the point at infinity can be counted as follows: 


#E'{ Fp) = 2 x # ((Fp \ W) n S) + #W + 1 = p + 1 


which implies E' is supersingular. 


□ 


An important property of supersingular curves is the fact 
that their group of points maps efficiently into a multiplicative 
group: this observation is the basis of the MOV attack of 
Menezes-Okamoto-Vanstone [43]. 


Proposition 2 (MOV attack). Let E be a supersingular curve 
over Fp, p > 5. Then there exists an injective, efficiently 
computable group homomorphism E(F p ) —> F* 2 (which can 
be expressed in terms of the Weil pairing on E). In particular, 
the discrete logarithm problem on E is no harder than the 
discrete logarithm problem in the multiplicative group F* 2 . 

D. ECDSA 

Algorithm 1 specifies the signature generation algorithm 
of ECDSA. We assume that an approved cryptographic hash 
function H : {0,1}* —> (Z/nZ)* is predefined. 


E. SM2-ECIES 

SM2 is a cipher suite recommended by Chinese Commer¬ 
cial Cryptography Administration Office [45] and has been 
recently supported by OpenSSL version 1.1.1 [46]. Its public 
key encryption algorithm, which we refer to as SM2-ECIES, 
is essentially a slightly modified version the ECIES ISO 
standard [5]. Algorithm 2 specifies the encryption algorithm 


Algorithm 1 ECDSA signature generation [44] 

Input: d £ Z/nZ: secret key, Q = [d]P: public key, M £ 
{ 0 , 1 }*: message to be signed, V: domain parameters 
Output: a valid signature (r, s) 

1: $(Z/nZ)* 

2: (x k ,y k ) £- [k\P 
3: r 4 — x k mod n 
4: h. <- H(M) 

5: s<^(h + rd)/k mod n 
6 : return (r, s) 


Algorithm 2 SM2-ECIES encryption [45] 

Input: Q £ E(¥ p ): public key, M £ {0,1}*: message to be 
encrypted, V: domain parameters 
Output: ciphertext (C\, C 2 , C 3 ) 
l: $(Z/nZ)* 

2: C'l = ( x k ,y k ) 4- [k\P 

3: (x',y') 4- [k)Q 

4: K 4 - KDF(x'||y', \M\) 

5: C 2 4- M © K 
6 : C 3 <— H(x'\\y'\\M) 

1 : return (C\. C 2 ,C :i ) 


of SM2-ECIES. Here \M\ is the bit-length of a message M, 
and KDF is a key derivation function which derives a shared 
secret key I\ satisfying |iC| = \M\. 

F. Point Compression 

Let P = (x,y) £ -E'(Fp) be a curve point. Since y = 
+s/x 3 + Ax + B or y = — \/x 3 + Ax + B, one can recover 
the y-coordinate if its sign (i.e. whether y is even or odd 
in F p ) is stored alongside the x-coordinate; this technique is 
known as point compression. In the hexadecimal format of the 
compressed point, the leftmost octet contains the information 
of y-coordinate: the octet 0x02 (resp. 0x03) indicates that 
the y is even (resp. odd). Moreover, 0x04 indicates that the 
octet string represents an uncompressed point. 

For instance, the secp256kl curve parameter standardized 
by SECG in [16, §2] has the following base point in an 
uncompressed 65-byte hexadecimal string: 

04 79BE667E F9DCBBAC 55A06295 CE870B07 

029BFCDB 2DCE28D9 59F2815B 16F81798 

483ADA77 26A3C465 5DA4FBFC 0E1108A8 

FD17B448 A6855419 9C47D08F FB10D4B8 

whereas the compressed form of the above is represented as 
a 33-byte string as follows: 

02 79BE667E F9DCBBAC 55A06295 CE870B07 

029BFCDB 2DCE28D9 59F2815B 16F81798 

Note that the information of y-coordinate is compressed to 
the leftmost octet 02 while x-coordinate remains the same. 













Algorithm 3 Point Decompression Algorithm [47, §2.3.4] 

Input: x £ F p , y £ {0x02, 0x03}, A, B, p 
Output: P = {x,y)\ uncompressed base point satisfying 
y 2 = x 3 + Ax + B mod p 
1 : y ■£- x 2 

2 : y £- y + A > A = 0 for seep k series 

3: y £- y x x 
4: y <— y + Bf 

5: y<-y/y 

6: if y = 0x02 then 
7: b ■£- 0 

8 : else 
9 : b £- 1 

10 : end if 

11 : if 2 / 7*6 mod 2 then 
12 : y^p-y 

13: end if 
14: return (x,y) 


G. Singular Curve Point Decompression Attack 

We now describe Blomer and Gunther’s SCPD attack [9] 
against elliptic curves of short Weierstrass form. 

Attack model: We suppose that the compressed base point 
P = (x,y) £ E( Fp) is stored in a cryptographic device and 
assume that the scalar multiplication algorithm receives the 
decompressed base point as input. The fault attacker is able to 
modify the base point by injecting a suitably synchronized 
fault upon point decompression algorithm that leads to an 
incorrectly reconstructed y-coodinate of P. 

Instruction skipping fault on base point decompression: 
Algorithm 3 is the point decompression routine specified by 
SECG [47, §2.3.4], If A = 0 (as the BN-curve and seep k 
series have) and a single instruction skipping fault is injected 
at line 4, then the resulting //-coordinate, denoted by y, is 
incorrectly reconstructed so that the following holds: 

y 2 = x 3 mod p. 


Hence the perturbed faulty base point is reliably on the 
singular curve E : y 2 = x 3 as depicted in Fig. 1. Let 
P = (x, y) be a perturbed base point and k be a secret scalar. 
Then using the isomorphism cj> in Theorem 1 

<K[k]P) = <!>( ? + . y+P) 

k 

= f(P) +... + f(P) 

= kx/y. 


By applying the inverse <j> 1 , we obtain 

= ( y 2 


[k]P : 


y 3 


1 p2 x 2 ■ ^, 3^.3 I 

x y 
k 2 ’ k 3 


Fig. 1: Pictorial overview of the Singular Curve Point Decom¬ 
pression Attack when A = 0 




E : y 2 = x 3 + B E : y 2 = x 3 


Hence, assuming that the a;-coordinate of [k]P, denoted by 
Xk , is available to an attacker, he can recover the secret scalar 
k (up to sign) by simply computing a division and a square 
root modulo p: 


k = 



(mod p). 


Note, however, that the attack fails if a ; 3 + Ax is a quadratic 
non-residue in the base field F p , because the square root 
operation at line 5 typically fails in that case (either because 
the square root algorithm fails on nonquadratic residues, or 
because the resulting point fails point validation). This implies 
that, for example, secpl92kl and secp256kl are susceptible to 
the SCPD attack, but secp224kl is not. 


III. Attacking ECDSA and SM2-ECIES in OpenSSL 

OpenSSL allows users to generate elliptic curve key files 
with explicit curve parameter embedded into them (as opposed 
to the use of a limited set of named curves). The construction 
of such key file is in fact mentioned in the documentation 
as a way of achieving backwards compatibility with versions 
of OpenSSL supporting fewer named curves. Moreover, the 
curve parameters in such a key file can optionally store the 
curve base point in compressed form. 

In this section, we show that the use of such key files can 
be easily exploited by a fault attacker to mount a variant of 
the SCPD attack described above. Our variant achieves a full 
key recovery attack when the key file is used for signing with 
ECDSA, and a complete recovery of the plaintext when the file 
is used for encryption using ECIES in OpenSSL. Both attacks 
were practically validated using concrete fault experiments 
against a Raspberry Pi. 


A. OpenSSL EC Key Files 

We first present a concrete situation where OpenSSL gener¬ 
ates an EC key pair explicitly containing the domain parame¬ 
ters with a compressed base point. In what follows, we assume 














the version 1.1.1 [48], which is the latest release of OpenSSL 
as of November 2018. Complete command line operations in 
this part are found in Appendix A Fig. 8. In OpenSSL, EC key 
operations are mainly dealt with two command line interfaces: 
ecparam and ec. While the former is used to generate a 
secret key, the latter is used to derive an corresponding public 
key. By default ecparam only outputs a secret key and the 
name of the domain parameter specified by -name option. 
However, the command line tool also allows a user to explicitly 
store the details of parameters into a key file by adding 
-param_enc explicit option. This option is supported 
mainly for backwards compatibility purposes; for example, not 
all the target systems know the details of the named curve 
(such as brainpoolP512tl for the version below 1.0.2) and a 
user might want to explicitly pass the full parameter details 
to others. This use case is in fact described in the official 
wiki page [49] of OpenSSL. Finally, by adding -conv_form 
compressed option, one can obtain a key file including a 
compressed base point as part of the parameters. Note that 
this option also affects the form of a public key point. Fig. 2 
displays an example output of the above operations. In order to 
derive the public key in a compressed form including the same 
parameter details, one can simply invoke ec command on a 
generated secret key with -pubout option. Alternatively, one 
can derive a key pair of the same form by first creating an EC 
parameter file, as shown in Fig. 8 of Appendix A. 

The signing and encrypting operations using an EC key can 
be achieved by dgst and pkeyutl 1 , respectively. When 
these commands are invoked on key files generated as above, 
OpenSSL’s EC_GROUP_new_from_ecparameters () 
function internally constructs the domain parameters 
V = (p, A 1 B, P,n, c) as EC_GROUP structure, which 

essentially works as follows: 

(i) Convert the raw byte arrays of A, B, and p into BIGNUM 
structures, by calling BN_bin2bn () utility function. 

(ii) Initialize EC_GROUP structure with A, B and p as inputs. 

(iii) Parse the compressed base point P = (x. y) and con¬ 
vert the raw byte array of x-coordinate into a BIGNUM 
structure. 

(iv) Call Algorithm 3 on x, y, A , B, and p to initialize the 
uncompressed base point P = ( x,y ). 

(v) Perform the validity check of P i.e. check if y 2 = x 3 + 
Ax + B mod p holds. Return error if the check fails. 

(vi) Convert the raw byte arrays of the group order n and the 
curve cofactor c into BIGNUM structures. 

(vii) Store P = ( x,y ), n, and c of BIGNUM forms into 
EC_GROUP structure. 

Additionally, when the compressed public key Q = 

( x QiVQ ) is loaded, o2i_ECPublicKey () function per- 

'We remark that the targeted OpenSSL version in this work does not 
support the use of SM2 in command line tools as is, though the codebase 
for SM2 has been fully implemented; however, OpenSSL Management 
Committee plans to add this feature in a post 1.1,1 release [50] and it can 
be simply achieved by calling EVP_PKEY_set_alias_type () right after 
loading a key file inside pkeyutl. 


Fig. 2: Generation of EC key files in OpenSSL, including a 
compressed base point 


$ openssl ecparam -out sk.pem -name secp256kl\ 

-genkey -conv_form compressed -param_enc explicit 

$ openssl ec -in sk.pem -noout -text 
read EC key 
Private-Key: (256 bit) 
priv: 

08:45:c9:52:d8:b9:b3:3b:c3:c5:a2:ef:2d:a9:46: 
32:53:f8:a8:75:68:6d:22:31:b4:d9:fc:de:f5:f3: 
b4 : f 0 

pub: 

02:94:78:28:99:e4:b3:06:53:0d:d3:43:a8:29:12: 
Ib:db:5b:72:b0:33:f0:76:88:d9:e8:4e:c5:c6:85: 

66:26:4d 

Field Type: prime-field 
Prime: 

00:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: 
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:fe:ff: 
ff:fc:2f 
A: 0 

B: 7 (0x7) 

Generator (compressed): 

02:79:be:66:7e:f9:dc:bb:ac:55:a0:62:95:ce:87: 
0b:07:02:9b:fc:db:2d:ce:28:d9:59:f2:81:5b:16: 
f8:17:98 
Order: 

00:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: 
ff:fe:ba:ae:dc:e6:af:48:aO:3b:bf:d2:5e:8c:dO: 
36:41:41 

Cofactor: 1 (0x1) 


forms the same operations in (iii) - (v) to initialize EC_KEY 
structure using the domain parameters constructed as above. 

B. Our Attack 

We now describe our variant of the SCPD attack that can 
be easily achieved in practice against OpenSSL whenever it 
loads an EC key file including a base point and a public key 
in compressed forms. For simplicity, we focus on the attack 
against curves with /-invariant equal to 0 (i.e., A = 0), but the 
attack also generalizes to the curves with nonzero '/-invariant. 
Indeed, in that case, the faulty curve becomes supersingu¬ 
lar according to Proposition 1, and hence the MOV attack 
of Proposition 2 applies and reduces the discrete logarithm 
problem on the curve to a discrete logarithm in the field F* 2 , 
which is easy to solve for sizes of p up to at least 256 bits, and 
tractable even up to 384 bits or so. Note that this supersingular 
case is not covered by the paper of Blomer and Gunther [9], 
but our attack applies to it nonetheless. 

Attack model: In our model, the attacker injects a single in¬ 
struction skipping fault upon the invocation of BN_bin2bn () 
on a parameter B in (i), and can force the resulting BIGNUM 
form of B to be 0, instead of the correct value e.g. B = 7 
for secp256kl. As a consequence, EC_GROUP structure is 
incorrectly initialized, which causes the point decompres¬ 
sion at (iv) to output the invalid uncompressed point P = 




(x,y) such that y 2 = x 3 holds. Note that the validity 
check at (v) cannot detect the faulty uncompressed point 
because the check function also receives the incorrect pa¬ 
rameter B = 0, and therefore conceives of P as a “valid” 
point on the cuspidal singular curve E : y 2 = x 3 . Fi¬ 
nally, EC_GROUP_new_from_ecparameters () returns 
the following domain parameters: 

V = (p, 0, 0, P, n, c) 

When the above faulty domain parameters are used for 
scalar multiplication of P, we also assume that the attacker 
has access to the .'/.'-coordinate of [k]P (just as the original 
SCPD attack assumes). 

Furthermore, the decompression of public keys is incor¬ 
rectly performed using the domain parameters V\ accordingly, 
a faulty uncompressed public key Q = {xq^pq) inevitably lies 
on E as well. 

Realization of the model: We now identify the specific 
instruction in BN_bin2bn () which would cause the return 
value to become 0 when skipped. Fig. 3 shows the source 
code of BN_bin2bn() in OpenSSL 1.1.1. The function 
takes a raw byte array and its length as inputs, and outputs 
the corresponding BIGNUM object. Whenever BN_bin2bn () 
tries to create the BIGNUM object for parameter B, it first 
initializes the return value to 0 by calling BN_New () function 
at line 9. Here we target the conditional branch instruction at 
line 17; if that line is skipped, BN_bin2bn() immediately 
aborts and returns the BIGNUM object containing the value 0. 

The high-level description above omits a subtle practical 
detail; in practice, a fault skips CPU instructions, which do 
not necessarily match a specific line in C code, especially 
when taking compiler optimizations into account. Hence the 
target instructions to achieve the desired outcome would vary 
depending on the actual machine code generated by the com¬ 
piler. In Appendix B Fig. 10 we present the complete ARM 
assembly code of BN_bin2bn () as generated by the built-in 
GCC of the Raspberry Pi Linux distribution (with identical 
compiler options, including full optimization, as specified 
in the OpenSSL Makefile), and marked possible vulnerable 
instructions with the comment “@SKIP ! !”. In particular, we 
can observe that the bne instruction at line 35 of Fig. 10 
corresponds to line 17 of the original C code in Fig. 3; if 
it is skipped, the execution proceeds straight up to line 42 
of Fig. 10, which corresponds to the return at line 19 of 
Fig. 3. Interestingly, we also found several other instructions 
(at lines 30, 64, and 77) that would all cause the return value 
to become 0 when skipped. For space reasons, we omit the 
specific discussion of these other cases. 

Recovery of the secret scalar k: In OpenSSL’s scalar 
multiplication function ec_scalar_mul_ladder (), the 
scalar k £ [l,n — 1] is first rewritten to be k = k + An 
with A £ {1,2} such that the resulting scalar’s bit-length is 
exactly 1-bit larger than that of the group order n, in order 
to thwart a remote timing attack by Brumley and Tuveri [17]. 


Fig. 3: BN_bin2bn() conversion function from 
crypto/bn/bn_lib . c in OpenSSL 1.1.1 [48] 


1 BIGNUM *BN_bin2bn(const unsigned char *s, int len, 

BIGNUM *ret) 

2 { 

3 unsigned int i, m; 

4 unsigned int n; 

5 BN_ULONG 1; 

6 BIGNUM *bn = NULL; 

7 

8 if (ret == NULL) 

9 ret = bn = BN_new() ; 

10 if (ret == NULL) 

11 return NULL; 

12 bn_check_top(ret); 

13 /* Skip leading zero's. */ 

14 for ( ; len > 0 && *s == 0; s++, len—) 

15 continue; 

16 n = len; 

17 if (n == 0)/ { 

18 ret->top = 0; 

19 return ret; 

20 } 

21 i = ((n - 1) / BN_BYTES) + 1; 

22 m = ((n - 1) % (BN_BYTES)); 

23 if (bn_wexpand(ret, (int)i) == NULL) { 

24 BN_free(bn); 

25 return NULL; 

26 } 

27 ret->top = i; 

28 ret->neg = 0; 

29 1 = 0; 

30 while (n—) { 

31 1 = (1 « 8L) | * (s++) ; 

32 if (m— == 0) { 

33 ret->d[—i]= 1; 

34 1 = 0; 

35 m = BN_BYTES - 1; 

36 } 

37 } 

38 bn_correct_top(ret); 

39 return ret; 

40 } 


More concretely, the function actually computes [k]P instead 
of [k]P, where 


k = 


k + 2n 
k + n 


if [log(fc + n)] 
otherwise. 


[log n\ 


Though [k]P = \k]P indeed holds when the valid base 
point is used, it is not the case anymore when the function 
takes the invalid base point. Hence, recalling the discussion 
in Section II-G the fault attacker can recover k up to sign 
from xy where (x-,, y- k ) = [k]P, and eventually obtain four 
candidates of k as follows: 



(mod p), ± 



2 n (mod p) 


Recovery of ECDSA secret key: Once the faulty ECDSA 
signature pair (r = xt mod n, s = [h + fd)/k mod n) 
is obtained, we first compute candidates of the nonce k as 




described above 2 . To complete the attack, it suffices to use 
the well-known fact that the knowledge of k in an ECDSA 
signature directly exposes the secret key d as: 

d = (sTc — h)/r mod n. 

Furthermore, although we have several candidates for the 
correct k, it is easy to find the actual secret key: compute 
all candidates for d, and keep the one that corresponds to the 
public verification key. 

Recovery of SM2-ECIES plaintext: In SM2-ECIES, an 
attacker has access to both coordinates of [k]P = (xt. y ;) 
as they are parts of the ciphertext, and can thus determine k 
uniquely: 

k= y ~^. 

xy~ k 

Using the fact that the public key is also incorrectly decom¬ 
pressed, i.e. Q = (xq,ijq) satisfies j/q 2 = Xq , the faulty seed 
for KDF can be reconstructed as follows: 

(?,?)-[i]<3 = (f. f). 

Finally, the derived key K = KDF('r / ||y 7 , IC 2 I) can be used 
to obtain the plaintext M by computing K © Cf ■ 

Comparison with the original SCPD attack: If the orig¬ 
inal SCPD attack described in Section II-G was applied to 
OpenSSL, it would target the point decompression routine 
in (iv), and the faulty uncompressed base point P can be 
immediately detected by subsequent point validitation, since 
the program still knows the genuine parameter B at this stage. 
Accordingly, the original SCPD attack required a second, 
suitably synchronized fault to skip the validity check function 
as well. Such a double fault attack is quite challenging to 
achieve in practice, especially on larger devices than the AVR 
target of Blomer and Gunther, due to process scheduling issues 
and frequent interrupts. On the other hand, since our attack 
incorrectly reconstructs the whole domain parameters at an 
earlier stage, the validity check function does not know the 
genuine value of B and eventually executes the assertion of 
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y 2 = x 3 , which of course always passes. As a result, our 
variant can be realized using a simple, single fault injection. 
We were able to validate it experimentally at low cost on 
a large, multiprocess embedded system running a general 
purpose operating system: namely, the Raspberry Pi running 
Linux. 

An important remark along those lines is that, since the 
faulty generator obtained in our attack does not have the 
expected order, the domain parameters on which the compu¬ 
tations occur would not pass the full public key validation 
specified in the SECG standard [47, §3.2.2.1], Thus, if full 
public key validation was always carried out by OpenSSL 

^Though the attacker can only exploit the residue r of the resulting in¬ 
coordinate modulo n, we can ignore the probability that x k > n due to the 
Hasse bound and therefore do not need to distinguish between r and x k in 
practice. 


Fig. 4: Overview of the experimental setup 



Fig. 5: The ChipWhisperer-Lite evaluation board, connected 
to Raspberry Pi Model B. 



upon loading a key file, our attack would also required a 
double fault. However, although the key validation primi¬ 
tive is indeed implemented in OpenSSL (in library function 
EC_KEY_check_key ()), it is not called by default, proba¬ 
bly due to its substantial computational cost, and key recovery 
is thus possible with a single fault. 

C. Voltage Glitch Attack Experiment 

We successfully carried out the above attacks on OpenSSL 
1.1.1 installed in Raspberry Pi single board computer [19], 

Experimental setup: Our device under test. Raspberry Pi 
Model B, has the following features: 

• ARMll-based 32-bit single core processor at 700 MHz 
clock frequency 

• Debian-based Linux OS called Raspbian Stretch 
. GCC 6.3.0 

The attack was conducted on the ChipWhisperer-Lite side- 
channel and glitch attack evaluation board [40]. To inject 












Fig. 6: Voltage trace of VCC glitch 



a voltage glitch from Chip Whisperer into Raspberry Pi, we 
soldered one side of wire onto the VCC side of a decoupling 
capacitor, and the other side onto the SMA connector attached 
to a GND test point of the device. All the command line opera¬ 
tions are performed through SSH over the Ethernet connection, 
as the Ethernet connection usually has good protection against 
voltage transients. The above setup is suggested in O’Flynn’s 
PhD thesis [39, §8.3.2] and the official Chip Whisperer tutorial 
[51]. Figs. 4 and 5 show our experimental setup. 

We then compiled OpenSSL 1.1.1 using its default Makefile 
and the built-in GCC toolchain in Raspbian Stretch. The 
OpenSSL source code was left untouched, except for the 
addition of the following instructions: 

• At the beginning of the BN_bin2bn () function: 
WiringPi [52] library’s digitalWrite () function, 
which allows us to transmit a trigger signal to ChipWhis- 
perer through GPIO pins of the Raspberry Pi. 

• After digitalWrite (): 30 nop instructions to further 
facilitate the synchronization of the injected glitch. 

• After the load_key() and load_pubkey () 
functions in pkeyutl. c: 
EVP_PKEY_set_alias_type(pkey, 
SM2_EVP_PKEY_SM2 ) to enable the SM2-ECIES 
encryption operation by default on the command line 
tool (as opposed to just a library function). 

The first two modifications were applied by first gen¬ 
erating the assembly code (i.e. Fig. 10) of the original 
crypto/bn/bn_lib . c, and then adding the corresponding 
CPU instructions, so that all the other conditions remain the 
same as in the original code. 

Attack result: Before mounting the attack, we generated 
an EC key pair over secp256kl parameters containing com¬ 
pressed points using the command line options introduced in 
Section III-A. We then connected to Raspberry Pi through 
SSH and invoked dgst and pkeyutl commands to generate 
ECDSA signature and SM2-ECIES ciphertext, respectively. 
The ChipWhisperer inserted a single voltage glitch with a 
high-power MOSFET right after the trigger signal is transmit¬ 
ted to it. After some trial and error, we found that enable- 


TABLE I: Experimental results of voltage glitch fault attacks 
against BN_bin2bn () function running in Raspberry Pi. 


Success 

No effect 

Program crash 

OS crash 

Total 

95 

813 

89 

3 

1000 


only glitches repeated 127 times at offset 10 clock cycles 
cause reliably reproducible misbehavior of Raspberry Pi, and 
we were able to observe that the parameter B was set to 
0 with the success probability ss 0.1. Fig. 6 shows a fault 
waveform inserted into Raspberry Pi. Table I summarizes 
the experimental results after 1000 trials of fault injection 
against dgst command, where each entry corresponds to the 
following situations: 

• Success: B was successfully set to 0. 

• No effect: the command output the valid signature with¬ 
out any error. 

• Program crash: the command crashed with some excep¬ 
tion e.g. segmentation fault. 

• OS crash: Linux OS crashed and completely stopped 
responding. 

As reported by O’Flynn, such voltage glitches rarely crashed 
the OS and network connection either. Using the faulty out¬ 
puts of dgst and pkeyutl, we successfully recovered the 
ECDSA’s secret key and SM2-ECIES’s plaintext with the help 
of SageMath [53], 

Instruction skipping: Though we were able to observe 
the desired faulty output, it does not necessarily imply that 
either of the targeted instructions marked in Fig. 10 was 
actually skipped. To be more specific, we cannot rule out 
the possibility of other faulty effects such as a double¬ 
execution of a certain instruction, as was reportedly achieved 
by Korak and Hoefler [35] in the attack against ARM Cortex- 
MO’s arithmetical instructions. For example, we can confirm 
(by manually modifying the assembly code) that a double 
execution of the subs instruction at line 26 would also lead 
to the 0 return value. In our low-cost setup, it is difficult to 
reliably synchronize a specific instruction-level glitch against 
programs running in a non real-time OS like Linux, and we 
thus remark that our experiment may not perfectly match the 
attack model described in Section III-B. Nevertheless, the fact 
that the same goal (of setting the value of B to zero) can be 
achieved in multiple ways only reinforces the relevance of our 
fault attack. 

Attacking a fully unmodified library: One can ask whether 
it would have been possible to attack a fully unmodified 
version of OpenSSL using the same approach. We argue that 
the answer is yes, although at the cost of a significantly 
more expensive experimental setup (which would be a stretch 
for typical academic budgets, but not for a less resource- 
constrained attacker). 

More precisely, note that the activation of SM2-ECIES on 
the command line is simply a matter of convenience: the attack 
could be mounted without it on code using the OpenSSL 





















library functions instead of the command line tools (and that 
change is irrelevant to the ECDSA attack anyway). Therefore, 
the only meaningful change that we carried out is the addition 
of a manual GPIO trigger and subsequent nop instructions in 
order to help synchronize the injection of the glitch. 

This too can be entirely eliminated using well-known 
automatic triggering techniques, such as sum-of-absolute- 
differences (SAD) matching of waveforms acquired from side- 
channel emanations of the device. The main challenge in 
applying such techniques to our setting is the high CPU 
frequency of the Raspberry Pi, which calls for high-resolution 
capturing equipment and very fast response time triggering 
hardware. Off-the-shelf solutions exist (e.g. Riscure’s icWaves 
toolkit [54]), but they are far pricier than our $250 exper¬ 
iment. A more advanced triggering technique has recently 
been demonstrated using moderate resolution side-channel 
traces, even against ARM-based, high-frequency targets run¬ 
ning Linux [55]. The corresponding setup fits better within 
academic budgets, but requires custom-made hardware and 
specialized expertise, and hence was somewhat impractical for 
our purposes. 

IV. Attacking ECDH in Opens SL 

In the previous section, we assumed that the result of the 
scalar multiplication on a degenerate curve is available to 
an adversary. In an ECDH key exchange, however, this is 
usually not the case and the adversary can only get some 
ciphertext generated with a shared secret key derived from 
the resulting point. Hence, the adversary cannot apply any 
algebraic operation to the resulting point, unlike the SCPD 
attack. To overcome this limitation of the SCPD attack, we 
employ a Pohlig-Hellman-like technique used in traditional 
invalid curve attacks; specifically, the attack and its target 
ECDH model in this section are inspired by Neves and 
Tibouchi’s approach [14]. The attack below requires multiple 
instances of the faulty output by the server, but we show that 
it can be mounted in moderate time complexity and with only 
small amount of queries. 

A. Degenerate Fault Attack against Hashed ECDH 

Target ECDH protocol: We consider the attack against 
an abstract model of ephemeral-static ECDH key exchange 
presented in Fig. 7, where Alice is a client holding her 
ephemeral key pair and Bob is a server who loads his static 
key pair as well as the domain parameters from locally stored 
EC key file mykey. pem. This protocol is a variant of the 
one considered in [14], with a few tweaks to increase its 
practical relevance: our variant does carry out point validation 
on the server side, and the session key is derived from the x- 
coordinate of the common point computed by the two parties 
(as opposed to the whole point), as is common in all practical 
elliptic curve based key exchange protocols, including the TLS 
handshake with elliptic curves. In Section IV-B, we show 
how this abstract protocol can be concretely realized using 
the OpenSSL command line tools, and attacked accordingly 
using our fault injection techniques. 


Fig. 7: EC Diffie-Hellman Protocol with hashed server output, 
where k a and k are secret keys chosen from Z/nZ, Q a = 
[k a ]P and Q = [k]P are public keys, V a and V are domain 
parameters, and x(P) denotes the ^-coordinate of a point P. 


Alice ( k a , Q a , T > a , Q , V ) 

Bob(mykey. pem) 

Qa,T> a 
- > 

Load k, Q and T> 
from mykey. pem; 

Verify Q S 2?(F P ); 
Verify P S _E(F P ); 
Verify V a = X>; 

Verify Q a S U(Fp); 

pins <- x([fc a ]Q); 

pins <- x([fe]Q a ); 

K <r- KDF(pms); 

C 

<- 

K «- KDF(pms); 

C <- Enc{K, “Hello”); 


Target curve parameters: Our attack target is the server 
whose domain parameters satisfy 4/0 and p = 3 mod 4, 
which hold for many standardized curves like seep r series 
(except secp224rl) [16] and Brainpool curves [56]. We also 
assume that Bob’s EC key file contains the base point in 
a compressed form, just as we did in the previous section. 
These assumptions will allow us to exploit non-prime order 
of the supersingular curve introduced in Section II-C if the 
initialization of parameter B is incorrectly done. 

Overview of the attack: We first describe a high-level 
overview of our attack against hashed ECDH. Here we assume 
that Alice is an adversary and tries to steal Bob’s secret key k 
by interacting with him N times. The basic strategy of Alice is 
to perform a combined attack which uses both the degenerate 
curve attack of Neves and Tibouchi and the fault injection 
technique presented in the previous section. 

The degenerate case we fundamentally rely upon is a 
supersingular curve E' : y 2 = x 3 + Ax that has non¬ 
prime order p + 1 from Proposition 1. Following Neves and 
Tibouchi’s approach, for each query i, Alice sends an invalid 
public key Qi £ E'(¥ p ) of small order £ t , where £i is a 
prime (power) factor of p + 1, and carries out an exhaustive 
search in the subgroup (Cff) to find k mod ti upon receiving 
an invalid ciphertext C\ = Enc(KDF(x([/c]Qi)),“Hello”) 
from Bob. After sufficiently many queries Alice computes k 
mod L using the Chinese Remainder Theorem (CRT), with 
L = . C, and can finally recover the whole k using Pollard’s 

kangaroo (or lambda) algorithm [57] in 0{\J(p+ 1 )/L) time 
complexity. 

However, Neves and Tibouchi only considered careless 
protocols where point validation on the server side is absent; 
in our targeted protocol of Fig. 7, Bob performs a number of 
validity checks upon loading his own key hie and receiving 









Alice’s public key and domain parameters. Hence, we circum¬ 
vent all these checks via a single instruction skipping fault 
described in Section III-B, whenever Bob loads his key file. 
The reader should note that it is crucial to inject a fault during 
the initialization phase of parameter B (i.e. execution of 
BN_bin2bn () function to load B in OpenSSL), not against 
the validity check functions themselves; otherwise the attacker 
would need to inject multiple faults to skip them. 

Moreover, Neves and Tibouchi’s hashed ECDH model fails 
to capture the significant property: in most ECDH implemen¬ 
tations, a shared secret key K is not derived from the resulting 
curve point [k]Q„ itself, but from its x-coordinate , which 
is often referred to as premaster secret (pms). In this more 
realistic, but restricted setting, Alice’s exhaustive search can 
only determine k mod up to sign for each query, and she 
thus would have to perform the subsequent Pollard’s kangaroo 
algorithm on exponentially many instances. We avoid this 
problem by making a single additional query that can be used 
for checking the correctness of CRT’s outputs. 

Attack algorithm and analysis: We now give a complete 
description of the attack in Algorithm 4. Again, we stress that 
a single fault injection in 2) can circumvent all the validity 
checks of domain parameters and public keys. 

Theorem 2. The time complexity of Algorithm 4 is 0{\fl o + 
N£i + 2 n log 2 L) and the space complexity is 0(1). 

Proof For each small factor the exhaustive search takes 
0{fi) steps and the total time complexity in 2) is OQNtf). 
Executing the CRT for each (fei, - -., fcjv) takes 0(log 2 L) 
time, and there are in total 2 N patterns of an input. Hence the 
total time complexity of 4) is 0(2 N log 2 L). Finally Pollard’s 
kangaroo takes 0(\J i o) time. All the subroutines in the above 
attack are constant space algorithms. □ 

Query optimization and complexity estimates: In Algo¬ 
rithm 4, we simply sorted the prime (power) factors of p + 1 
in descending order and automatically assigned one query 
to each factor; however, this often yields nonoptimal total 
time complexity. We present a straightforward approach for 
query optimization by describing the concrete attack against 
prime 192vl as an example. We also give the result of optimal 
complexity estimates for other curve parameters in Table II. 

First of all, primel92vl’s p+ 1 can be factored as follows: 

p + l =2 64 x 67280421310721 x 6700417 x 274177 
x 65537 x 641 x 257 x 17 x 5 x 3 

Since N = 10 and the largest factors are £q = 2 64 and i\ = 
67280421310721 ss 2 46 , the total time complexity would be 
0( 2 46 ) without any query optimization. 

However, in an actual attack, we can “merge and divide” 
some queries to equalize the time complexities for each 
exhaustive search and Pollard’s kangaroo. On the one hand, 
the exhaustive searches for order 3, 5, 17, and 257 subgroups 
are computationally cheap, and therefore they can be “merged” 
into other queries, so that the new queries send invalid points 


Algorithm 4 Attack on hashed ECDH with point validation 

Input: Bob’s public key Q and domain parameters V 
Output: Secret key k such that Q = \k\P 

1) Parse the domain parameters T) = (p, A, B, P,n,c) ofjlob’s 
public key, and construct invalid domain parameters T> a = 
(p, A, 0, P, n, c ) which defines 

• su^ersingular curve E' : y 2 = x 3 + Ax of order p + 1 = 
n i=0 & where ii is a prime (power) factor of p + 1 and 
to > £i > ■ ■ ■ > £n, and 

• invalid base point P on E'( F p ) that shares its ^-coordinate 
with the valid base point P. 

2) For each small factor £, in (fi,..., In}'- 

i Pick an invalidjpoint Qi £ E'( F p ) of order £,, and send Qi 
together with T> a to Bob. 

ii Upon Bob loading his EC key file, inject a single instruction 

skipping fault to set his parameter B to 0, and consequently 
force the base point to be decompressed to P £ E'(¥ p ) (See 
Section III-B). __ 

iii Upon receiving a faulty ciphertext Ci from jlob, perform an 
exhaustive search in the small subgroup (Qi) to find ki £ 
[0, if) such that 

Enc(KDF(x([fc;]Q))), “Hello”) = Ci. 

Note that this procedure only finds k mod £i up to sign i.e. 
Alice always obtains two solutions ±fc mod ii. 

3) Pick the additional invalid point Ql £ E'( F p ) of order L = 

i send Ql together with V a to Bob, and receive the 
corresponding ciphertext Cl. 

4) For each candidate combination of (fci,...,/ cjv) £ {k 

mod ii, —k mod £i} x ... x {k mod fjv, —k mod £n}- 

i Compute the following using the CRT: 

(fci,..., fcjv) H > k' £ Z/LZ. 

ii Verify the correctness of CRT’s output by performing the 
following check: 

Enc(KDF(x([fc']Q2)), “Hello”) = Cl. 

If k! passes the above check, it means that k! satisfies 
either k' = k mod L or k' = —k mod L, of which the 
former is derived from the correct candidate combination 
(fci,..., k N ) = (k mod £\,... ,k mod £n). 

5) At this stage, Alice already knows two candidates of k', and 
one of them satisfies k = k' + Lk" for some k" < \n/L\ « 
(p + 1)/T = £\. If Pollard’s kangaroo algorithm with inputs 
Q—[k']P and the base [L\P can find a solution k ", then finally 
outputs k' + Lk". 


of slightly larger composite order to Bob, with which exhaus¬ 
tive search is still feasible. On the other hand, the search in 
order 2 63 subgroup 1 can be actually “divided” into multiple 
exhaustive searches in a much smaller subgroup, e.g. order 
p := 2 21 subgroup; concretely, we first pick order p 3 point 
Q p 3 as well as Q p 2 = \p]Q p s and Q p = \p]Q p 2 , and also 
rewrite k as follows: 

k = Up 3 + K 2 p 2 + re ip + re 0 

-’We lose 1-bit in this search because primel92vl has no 2 64 order 
subgroup due to the quadratic non-residue curve parameter A. 





where m < p and R < [n/p 3 _|. The first query uses Q p 
and performs exhaustive search in (Q p ) to recover kq = k 
mod p up to sign; the second query uses Q p i to recover K\, 
which still reduces to the exhaustive search in ( Q p ) because 
[k]Q p 2 = [nip]Q p 2 + [k 0 ]Q p 2 = [ki]Q p + [«o \Q p 2 and the 
latter term is already known. Note that after the second query 
we can trivially rule out the wrong candidate of kq because the 
exhaustive search would find no solution in that case. Likewise 
we can recover K 2 by using Q p 3 in the third query. As a 
consequence three iterations of exhaustive search in (Q p ) are 
sufficient to find K 2 P 2 + Kip + no = k mod p 3 (up to sign). 

To achieve these query optimizations, we can, for example, 
reconstruct the factors of p + 1 as follows: 

£' 0 = 67280421310721 x 2 

£' x = 6700417, £' 2 = 17 x 257 x 641 

£' 3 = 3 x 5 x 65537, £' 4 = 274177 

£5 = p 3 = 2 63 

which leads to 7 queries that send invalid points 
Qi ,..., Q 4 , Q pi Q p 2 , and Q p 3 of corresponding orders (+ 1 
additional query with the point () 1 / of order IJ = £')■ 

Because £' 0 sa 2 47 , i\ w 2 23 and L' k, 2 145 , we obtain the total 
time complexity of 0(^/1^ + 7£ / l + 2 5 log 2 L') = 0( 2 25 5 ), 
which is much less than the nonoptimal queries. 

B. Application to OpenSSL 

Attack on manual ECDH key exchange in OpenSSL: We 
now describe a practical scenario that realizes the ECDH 
protocol of Fig. 7 using OpenSSL command line tools. Com¬ 
plete command line operations in this part can be found in 
Appendix A Fig. 9. Suppose Bob holds a static EC key 
containing explicit curve parameters as well as the compressed 
base point, which we described in Section III-A. When Bob 
manually performs the ECDH key exchange with Alice, he 
may use pkeyutl -derive command with Alice’s public 
key file and his own key file as inputs, so that he can 
obtain the premaster secret x([fc]Q a ). Accordingly, Bob can 
generate the master secret key K and ciphertext C for “Hello” 
message using an appropriate cryptographic hash function (e.g. 
SHA256) as KDF and symmetric encryption algorithm (e.g. 
AES-256-CBC), respectively; of course, these can be achieved 
via basic OpenSSL commands. 

Here Alice’s attack strategy is quite simple; since pkeyutl 
-derive invokes BN_bin2bn() function when loading 
an EC key file, she can directly apply the fault attack in 
Section III-B to force Bob’s curve parameter B to have 0, 
whenever Bob tries to derive a premaster secret using Alice’s 
malicious public key. 

Experimental results: We successfully mounted the above 
attack on OpenSSL 1.1.1 installed in Raspberry Pi. We tar¬ 
geted primel92vl as Bob’s curve parameters and first found 
an order (p + l )/2 point at x = 260 on supersingular 
curve E' : y 2 = x 3 3a;; then we prepared 8 public 
keys which contain invalid domain parameter 5 = 0 and 


low order points Qi,..., Q 4 , Q p , Q p 2 , Q p 3, and Qv. Upon 
loading these public keys during the execution of pkeyutl 
-derive, a single voltage glitch fault was inserted into 
BN_bin2bn () function, just as we did in Section III-C. 
When the fault successfully caused the domain parameters 
to have 5 = 0, all the subsequent validity checks passed 
and the command output a faulty pms without raising any 
error; otherwise, the command aborted immediately with error 
messages. Then we invoked dgst command to hash a faulty 
pms , and to derive a master key K; finally we used it to 
encrypt “hello” message with enc command. 

After collecting 8 faulty ciphertexts returned from the above 
operations, we performed the exhaustive search, CRT with the 
correctness check, and Pollard’s kangaroo algorithm described 
in Algorithm 4 with the help of SageMath [53], The exhaustive 
searches for 7 instances took an hour and computing the 
CRT for 2 5 candidates of k' was done in few seconds, using 
a standard desktop computer equipped with Intel Core i5- 
4460 CPU and Ubuntu 18.04. Finally, we executed Pollard’s 
kangaroo on two candidates of k! = k mod L\ which took 
90 minutes, and successfully found the correct secret key k. 

C. Applicability to TLS 

Although that option is probably not commonly used in 
practice, the TLS standard does support certificates for elliptic 
curve cryptography using explicit curve parameters, as well 
as point compression for the group generator as part of those 
parameters (see [58, §5.4], particularly the definition of the 
ECPoint structure). It is therefore natural to ask to what 
extent the attack described in this section applies to the 
TLS handshake when using elliptic curve cryptography cipher 
suites. 

Note first that one has to posit a rather powerful attacker 
against the TLS server, than can initiate adversarial TLS 
handshakes while at the same time injecting faults on the 
server itself. This can correspond to settings in which the 
server is an embedded device, in which faults can be injected 
remotely (e.g., using exploits such as Rowhammer.js [59]). 

Even so, the abstract model described in Fig. 7 does not 
quite map to any of the ECDH-derived key exchange protocols 
defined in TLS as summarized, e.g., in [58, §2]. However, one 
can modify the attack to match the “fixed ECDH” setting (i.e., 
the case of a static server key), albeit at the cost of significant 
increase in query complexity. Moreover, although the attack 
does in principle require a static key on the server side, it can 
interestingly also apply to certain practical implementations of 
“ephemeral ECDH”. 

Fixed ECDH: The TLS-ECDH setting closest to the one 
we consider is “fixed ECDH”, where the server uses a static 
key and there is no client authentication. In that case, the 
TLS handshake takes a form very close to Fig. 7, but with 
one crucial difference: namely, the client has to send its 
ClientFinished message encrypted under the key ob¬ 
tained from the key exchange (which is already known since 
the server’s public key is static). This is a problem for our 


TABLE II: Complexity estimates of the attack against ECDH over standardized curves 


Curve 

p 

K\ 


Time 

# Queries 

? 

Vx 3 + Ax e F* 

prime 192vl 

2 192 — 2® 4 — t 

47 

23 

0 (2 25 ' 5 ) 

8 

Yes 

prime256vl 

2 224 (2 32 - 1) + 2 192 + 2 96 - 1 

94 

46 

0 (2 48 - 3 ) 

6 

Yes 

secp384rl 

2384 _2 128 _ 2 96 -f- 2 32 _1 

188 

36 

0 (2 93 - 5 ) 

7 

Yes 

secp521rl 

2 521 - 1 

1 

1 

0 (1) 

521 

No 

brainpoolP192rl 

— 

63 

49 

O(2 50 -°) 

4 

Yes 

brainpoolP224r 1 

— 

140 

50 

0 (2 69 - 7 ) 

3 

No 

brainpoolP256rl 

— 

164 

68 

0 (2 81 - 7 ) 

3 

Yes 

brainpoolP384rl 

— 

181 

88 

0 (2 90 1 ) 

4 

Yes 

brainpoolP512rl 

— 

151 

125 

0 (2 126 - 3 ) 

4 

Yes 


attack, because although the client does know the valid public 
key of the server, he does not know the perturbed key on 
the fauly curve E' , and therefore cannot easily encrypt its 
ClientFinished message. 

There is a simple workaround to this limitation, however: 
since the derived keys tried by the client are obtained from 
points of small orders l\,... , fjv on E', the client can simply 
repeat its handshake attempts with key candidates derived from 
all the possible multiples of those points of small orders, 
until the server is able to decrypt the ClientFinished 
message and replies. That case corresponds to a correct guess, 
and therefore reveals the secret key of the server modulo 
l \,..., £n as before. This is essentially the approach taken 
in the original invalid curve attacks by Antipa et al. [12] 

The time complexity of that variant of the attack is the same 
as for the attack in the previous section: the only difference is 
that the exhaustive search phase (Step 2iii of Algorithm 4) is 
now carried out using online queries to the server instead of 
offline computations (at a significant, but constant, overhead). 4 
The query complexity, on the other hand, does obviously 
increase sharply. 

Ephemeral ECDH: Clearly, our attack on ECDH requires 
several faulty executions of the key exchange protocol to 
recover a secret, and therefore should not apply to “ephemeral 
ECDH” key exchange (ECDHE_RSA and ECDHE_ECDSA in 
TLS), where the server is supposed to use a fresh secret for 
every session in order to ensure perfect forward secrecy. In 
practice, however, many TLS servers reuse those ephemeral 
keys for a long period of time in order to reduce the compu¬ 
tational overhead of new encrypted connections: Springall et 
al. [60] found that, as of 2016, around 15% of the ECDHE 
domains in the Alexa Top Million practiced some form of 
key reuse, some of them for months at a time! This type of 
key reuse is even the default behavior of some popular TLS 
implementations (e.g., the bug report to fix this issue in NSS, 
submitted in 2015, appears to remain open at the time of this 
writing [61]). 

In such a setting, the same attack as above applies directly, 
and recovers the supposedly-ephemeral-but-actually-reused se¬ 
cret of the server (and hence allows to decrypt all TLS sessions 
the adversary can record until the subsequent key update). 

Similarly, note that the check done in Step 4ii of Algorithm 4 can be 
carried out using 2 N handshake attempts, which is negligible. 


V. Countermeasures 

The vulnerabilities we pointed out stem from the fact that 
OpenS SL command line tools support loading a compressed 
base point from external EC key files. Hence, as a straightfor¬ 
ward countermeasure we suggest that the ecparam command 
line interface deprecate -conv_f orm compressed option, 
so that the generation of such vulnerable EC key files will 
never occur. More generic, low-level countermeasures against 
fault attacks can be found in e.g. [34, §5]. We also mention 
general advice on the use of compressed curve points when 
one implements ECC: 

• To thwart the kinds of attacks described in Section III 
and Section IV, one should never store the base point in 
compressed form. 

• On the other hand, the use of public key points in 
compressed form per se is not a problem; in fact, it is 
advisable to use them because this assures the resulting 
point is on the curve, so that one can prevent other invalid 
curve attacks. 

VI. Concluding Remarks 

This paper brought the SCPD attack and the degenerate 
curve attacks closer to practice, and identified fault attack vul¬ 
nerabilities in OpenSSL’s implementation of ECDSA, SM2- 
ECIES and ECDH. We stress that the attacks on the first two 
schemes over seep k series (except 224kl) are particularly 
devastating because the adversary would be able to recover a 
secret key (resp. plaintext) from a single faulty signature (resp. 
ciphertext) with almost no computational cost. Note that while 
we have not directly witnessed the use of such unusual EC 
keys as Fig. 2 in the wild, there are reasons to believe that 
they could exist (beyond Heninger’s conjecture that “given 
samples from enough cryptographic implementations, any 
outrageous vulnerability is likely to be present” [62]). Indeed, 
the construction of these key files is explicitly described in the 
OpenS SL official documentation (see III- A) and their use is 
permitted by the original elliptic curve extensions to TLS [58]. 

Beyond OpenSSL, we point out that there is a possibility 
that other cryptographic libraries, especially the ones for 
embedded systems, are using base points in compressed forms. 
Such values do appear in SECG’s recommended elliptic curve 
domain parameters [16], and there is a plausible reason why 
practitioners might want to use them; since reducing code size 






is a major concern for embedded implementations, compress¬ 
ing the base point, which results in a code size reduction of 
24-64 bytes, can potentially justify the use of compressed 
base points when program memory is at a premium 5 . Though 
we fortunately confirmed that the several well-known libraries 
such as mbed TLS [64], wolfSSL [65], Crypto++ [66] and 
libsecp256kl [67] do not implement compressed base points, 
some implementations for non-production use do include them 
in reality; for instance, the base point of secp256kl in a 
compressed form appears in [68, Appendix D.2]. In particular, 
the ECDSA over secp256kl curve, on which we mounted 
the attack in Section III-C, is nowadays a high-profile target 
owing to its use in the Bitcoin protocol [69]. Therefore, 
future research should consider the potential effect of the 
SCPD attack on hardware Bitcoin wallets, including in-house 
implementations. All in all, the lesson of this paper is quite 
simple: do not store your base points in compressed form! It 
would also seem advisable to always avoid the use of explicit 
curve parameters in ECC implementations and only rely on a 
reasonable set of named curves. 
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Fig. 8: Complete command line operations in Section III 


# Generate a key pair including compressed base point 
openssl ecparam -out sk.pem -name secp256kl -genkey \ 

-conv_form compressed -param_enc explicit 
openssl ec -in sk.pem -pubout -out pk.pem 

# Alternative way: generate a parameter file, then derive a 
<—>■ key pair 

openssl ecparam -out ec_param.pem -name secp256kl \ 
-param_enc explicit 

openssl ecparam -out sk.pem -in ec_param.pem -genkey \ 
-conv_form compressed 
openssl ec -in sk.pem -pubout -out pk.pem 

# Sign/verify with ECDSA 

openssl dgst -sha256 -sign sk.pem file.txt > sigma.sig 
openssl dgst -sha256 -verify pk.pem \ 

-signature sigma.sig file.txt 

# Encrypt/decrypt with SM2 ECIES (assuming 

^ EVP_PKEY_set_alias_type (pkey, EVP_PKEY_SM2) is set) 
openssl pkeyutl -encrypt -in file.txt -pubin \ 

-inkey pk.pem -out cipher 
openssl pkeyutl -decrypt -in cipher -inkey sk.pem 


Fig. 9: Complete command line operations in Section IV 


# Bob generates a key pair including compressed base point 
openssl ecparam -out sk.pem -name primel92vl -genkey \ 

-conv_form compressed -param_enc explicit 
openssl ec -in sk.pem -pubout -out pk.pem 

# Derive ECDH premaster secret with Alice ' s public key as 
<—*■ input 

openssl pkeyutl -derive -inkey sk.pem \ 

-peerkey pk_alice.pem -out pms.bin 

# Generate master secret key with SHA256 
openssl dgst -sha256 -binary pms.bin > K.bin 

# Encrypt hello message with AES-256-CBC 

echo "hello" | openssl enc -aes256 -k K.bin -e -out C.bin 
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Appendix A 

OpenSSL command line operations 

See Fig. 8 and Fig. 9. 

Appendix B 

Assembly code for bn_b i n2bn () function 
See Fig. 10. We observed that the instructions with the com¬ 
ment “SKIP ! !” cause the return value of BN_bin2bn () 
function to have 0 when skipped. 
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Fig. 10: Complete assembly code for BN_bin2bn () 

function, generated by GCC 6.3.0 in Raspberry Pi 


.arch armv6 





49 


bl 

bn_wexpand(PLT) 


. align 

2 





50 


and 

r5, r5, 43 


.global 

BN_ 

Din2bn 




51 


subs 

r9, rO, 40 


. syntax 

unified 




52 


beq 

. L352 


. arm 






53 


mov 

r2 , 40 


. fpu vfp 





54 


mov 

r3, r2 


■type 

BN_ 

Din2bn, %function 



55 


add 

r6, r4, r6 

BN_bin2bn: 






56 


mov 

rO, r2 


@ args 

= o. 

pretend = 0, 

frame = 

0 

57 


str 

rl , [r8, 44] 


@ frame 

_needed = 0, uses 

_anonymous_args = 0 

58 


str 

r2, [r8, 412] 


push 

{ r4 

, r5, r6, r7. 

r8. 

r9. 

rlO, lr) 

59 

. L337 : 




subs 

r 8 , 

r2 , #0 




60 


ldrb 

rl, [r4] , 41 


mov 

r4. 

r0 




61 


cmp 

r5 , 40 


mov 

r6 , 

rl 




62 


sub 

r5, r5, 41 


movne 

r!0 

, 40 




63 


orr 

r3, rl, r3, lsl 48 


beq 

. L351 




64 


beq 

. L338 @ SKIP ! ! 

. L330 : 







65 


cmp 

r4 , r6 








66 


bne 

. L337 


cmp 

r6. 

40 




67 


mov 

rO, r8 


ble 

. L332 




68 


bl 

bn_correct_top (PLT) 


ldrb 

r3. 

[r4] 




69 


mov 

r9, r8 


cmp 

r3. 

40 




70 

. L353 : 




bne 

. L332 




71 


mov 

rO, r9 


add 

r3. 

r4, #1 




72 


pop 

(r4, r5, r6, rl , r8, r9, rlO, pc} 

. L334 : 







73 

. L338 : 




subs 

r6 , 

r6, 41 




74 


ldr 

r2 , [r8] 


mov 

r4 , 

r3 




75 


sub 

rl, rl , 41 


beq 

. L333 




76 


cmp 

r4 , r6 


ldrb 

r2 , 

[r3] 




77 


str 

r3, [r2, rl , lsl 42] @ SKIP!! 


add 

r3. 

r3, 41 

@ SKIP ! ! 


78 


mov 

r5, 43 


cmp 

r2 , 

40 




79 


mov 

r3, rO 


beq 

. L334 




80 


bne 

. L337 

. L332 : 







81 


mov 

rO, r8 


cmp 

r6. 

40 




82 


bl 

bn_correct_top (PLT) 


bne 

. L335 @ SKIP !! 




83 


mov 

r9, r8 

. L333 : 







84 


b 

. L353 


mov 

r9. 

r8 




85 

. L351 : 




mov 

r3. 

40 




86 


bl 

BN_new(PLT) 


str 

r3. 

[r8, 44] 




87 


subs 

r8 , rO, 40 

. L32 9 : 







88 


movne 

rlO, r 8 


mov 

r0. 

r 9 




89 


bne 

. L330 


pop 

{ r4 

, r5, r6, r7. 

r8 , 

r9 , 

rlO, pc} 

90 


mov 

r9, r8 

. L335 : 







91 


b 

. L32 9 


sub 

r5. 

r6, 41 




92 

. L352 : 




mov 

r0. 

r8 




93 


mov 

rO, rlO 


lsr 

r7 , 

r5, 42 




94 


bl 

BN_free(PLT) 


add 

r7 , 

rl, 41 




95 


b 

. L32 9 


mov 

rl. 

rl 




96 


. size 

BN bin2bn, . -BN bin2bn 















